Home   >   CSC-OpenAccess Library   >    Manuscript Information
The Three Dimensions of Security
Malik F. Saleh
Pages - 85 - 93     |    Revised - 01-09-2011     |    Published - 05-10-2011
Volume - 5   Issue - 2    |    Publication Date - July / August 2011  Table of Contents
Dimensions of Security, Security, Policy, People, Enforcement of Security
Security is an issue of generally recognized importance. Security starts with you, the user. It is well known that a formal security policy is a prerequisite of security. Having a policy and being able to enforce it is a totally different thing. This paper explains the three aspects of security that should be combined to create a well-rounded solution for securing organizations. This solution examines people, policy and enforcement as three dimensions in the world of security. This paper serves as 1) a conceptual framework for securing organization 2) the basis for formal policy-to-enforcement; 3) It raises awareness that the users should be informed of their roles and responsibilities in protecting the organization; and 4) evidence for writing policies that can be implemented and enforcement involves understanding the policies by the users
1 Google Scholar 
2 CiteSeerX 
3 refSeek 
4 Scribd 
5 SlideShare 
6 PdfSR 
Adams, A. and M.A. Sasse, Users are not the enemy. Communications of the ACM, 1999. 42(12).
Bird, T. What is policy enforcement, and why should we care? 2004; Available from: http://www.computerworld.com/s/article/98080/What_is_policy_enforcement_and_why_should_we_care_?taxonomyId=17&pageNumber=3.
Cisco. Network Admission Control. 2011 [cited 2011 June 28]; Available from: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_nac.html.
Compeau, D., et al., End-user training and learning. Commun. ACM, 1995. 38(7): p. 24-26.
Corporation, M. The Enemy Within. 2005 [cited June 20; Available from: http://www.theregister.co.uk/2005/12/15/mcafee_internal_security_survey/.
Craig, J.S., The human element: training, awareness, and human resources implications of health information security policy under the Health Insurance Portability and Accountability Act (HIPAA), in 2009 Information Security Curriculum Development Conference. 2009, ACM: Kennesaw, Georgia. p. 95-99.
David, J., Policy enforcement in the workplace. Computers & Security, 2002. 21(6): p. 506-513.
Gross, J. and M.B. Rosson. Looking for Trouble: Understanding End-User Security Management. in Computer Human Interaction for the Management of Information Technology (CHIMIT) 2007.
Group, T.C. Trusted Network Connect. 2010 [cited 2011 June 28]; Available from: http://www.trustedcomputinggroup.org/developers/trusted_network_connect/.
Gupta, S., R.P. Bostrom, and M. Huber, End-user training methods: what we know, need to know. SIGMIS Database, 2010. 41(4): p. 9-39.
Hall, D.E., Requirements and policy challenges in highly secure environments, in Proceedings of the 2004 ACM SIGMOD international conference on Management of data. 2004, ACM: Paris, France. p. 897-898.
Höne, K. and J.H.P. Eloff, Information security policy what do international information security standards say? Computers & Security, 2002. 21(5): p. 402-409
Johnson, M., et al., Optimizing a policy authoring framework for security and privacy policies, in Proceedings of the Sixth Symposium on Usable Privacy and Security. 2010, ACM: Redmond, Washington. p. 1-9.
Kumaraguru, P., et al., Teaching Johnny not to fall for phish. ACM Trans. Internet Technol., 2010. 10(2): p. 1-31.
Kvedar, D., M. Nettis, and S.P. Fulton, The use of formal social engineering techniques to identify weaknesses during a computer vulnerability competition. J. Comput. Small Coll., 2010. 26(2): p. 80-87.
Madigan, E.M., C. Petrulich, and K. Motuk, The cost of non-compliance: when policies fail, in Proceedings of the 32nd annual ACM SIGUCCS fall conference. 2004, ACM: Baltimore, MD, USA. p. 47-51.
McCoy, C. and R.T. Fowler, "You are the key to security": establishing a successful security awareness program, in Proceedings of the 32nd annual ACM SIGUCCS fall conference. 2004, ACM: Baltimore, MD, USA. p. 346-349.
Microsoft. Network Access Protection. 2011 [cited 2011 June 28]; Available from: http://www.microsoft.com/windowsserver2008/en/us/nap-main.aspx.
Norman, D.A., The Way I See it: When security gets in the way. interactions, 2009. 16(6): p. 60-63.
Orgill, G.L., et al., The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems, in Proceedings of the 5th conference on Information technology education. 2004, ACM: Salt Lake City, UT, USA. p. 177-181.
Robling, G. and M. Muller, Social engineering: a serious underestimated problem. SIGCSE Bull., 2009. 41(3): p. 384-384.
Saleh, M.F., Information Security Maturity Model International Journal of Computer Science and Security (IJCSS), 2011. 5(3): p. 21.
Sasse, M.A., S. Brostoff, and D. Weirich, Transforming the 'Weakest Link' - a Human/Computer Interaction Approach to Usable and Effective Security. BT Technology Journal, 2001. 19(3): p. 122-131.
Schneider, F.B., Enforceable security policies. ACM Transactions on Information and System Security, 2000. 3(1): p. 30-50.
Schneier, B., Secrets and Lies: Digital Security in a Networked World. 2000, New York: John Wiley & Sons, Inc.
Solmsa, B.v. and R.v. Solms, The 10 deadly sins of information security management. Computers & Security, 2004. 23: p. 371-376.
Vidyaraman, S., M. Chandrasekaran, and S. Upadhyaya, Position: the user is the enemy, in Proceedings of the 2007 Workshop on New Security Paradigms. 2008, ACM: New Hampshire. p. 75-80.
Dr. Malik F. Saleh
Prince Mohammad Bin Fahd University - Saudi Arabia

View all special issues >>